@sc. 


QUALYS SECURITY CONFERENCE 2018 


Where Are We Now and Whe ei 
the Industry Going? 


Making the World Safer - One App at a Time 


Philippe Courtot 
Chairman and CEO, Qualys, Inc. 


Our Beginnings 


Qualys Cloud Platform 1.0 
The Vulnerability Management 
years - 1999 to 201 


Huge resistance to 
Cloud adoption 


Scalability/accuracy 


Consolidation 
of best-of-breed 
solutions 


© Qualys. 


Where Are We | y ` 
N 2 Major re-architecting 
OW t of our Back-End 


Started OPS, DevOps, 


Customer Support and 
Qualys Cloud Platform 2.0 


Delivering an Integrated Suite 
of Security and Compliance 
solutions - 2012 to 2018 


Engineering In India 


Expanded our solution 
to more than 10 Apps 
and made our first 
technology acquisitions 


QSC Conference, 2018 November 29, 2018 © Qualys. 


Where Are We 
Going”? 


Qualys Cloud Platform 3.0 
Single pane of view that 
unifies IT, Security & 
Compliance - Entering 
the ОТ and IOT space 

- 2019 to 2021 


Groundbreaking 
Global IT Asset 
Inventory solution 


Consolidating 
more solutions 


Bringing to market 
an integrated 
Incidence Response 
solution 


© Qualys. 


Where is the 
Industry Going? 


Major Consolidation 

The era of the Cloud Is 
coming fast and furious 
and unavoidable 

- 2019 to 2021 


The Irresistible Rise 
of the Public Cloud 
Platforms 


From Business continuity 
to Cyber Resilience 


Building Security In 
- Not Bolting it on 


Accelerated Industry 
Consolidation 


© Qualys. 
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Regaining Our Lost Visibility 


Sumedh Thakar 
Chief Product Officer, Qualys, Inc. 


IT Transformation < 


Infrastructure & Application 


Digital 
Transformation 


Holistic Transformation of 
Business to Digital 


Cloud, Containers, laaS, PaaS, 


OT, lloT, lol, Mobility, Web 
apps, APIs, Mobile Apps 
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Hybrid Cloud Overview Architecture 


Work Stations 


Mobile Workforce 
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West Coast East Coast «04 @ redis 
Datacenter Datacenter eee 


STORAGE pene Їй 


On-Premise 
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Containers 


Real game changer 


Hypervisor disappearing, bare 
metal is back 


Kubernetes Infrastructure-as-code 
Container-as-a-Service AWS Fargate 


AWS Lambda function-as-a-service, 
serverless! 


Kubefed? 


"Priceline" for Containers? 
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DevOps 


This is real and highly contagious 


Developer decides how 
infrastructure runs in production 


Speeds up significantly how fast 
code goes to production 


QSC Conference, 2018 
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On-Prem 


Shrinking Datacenter Footprint 
Increasing OT & ПОТ 
Corp IT - more distributed & mobile 


More loT! 
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Enterprise 
Mobility !- BYoD 


Enterprise owned handheld devices 
Indispensable to modern business 


Running apps handling sensitive 
business & consumer data 


Mobile! 
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Web Apps & APIs 


Web Apps for the humans 
APIs for the inhumans 


Wide window into all your data 
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SaaS 


More aaS everywhere 
No infrastructure to manage 


No Applications to code or manage 
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SaaS 


| Е.) Lead the charge 
against bloated 5 
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Security 


| ! a 
ET is 


IBM PC AT 
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November 13, 1984 


PC Magazine about IBM PC AT 


“The AT provides the first real system for allowing 
executives to sleep at night: 


A hard-to-duplicate ‘tubular’ key locks all but key holders 
out of the system” 
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34 years later 


No magic key = No sleep at night! 
Same challenges x 10 


No visibility across global hybrid 
infrastructure 


Still need to do Vulnerability $ 
Configuration management 


Still need to monitor integrity of systems(?) 


More data incoming into "SIEM" 
deployments 


Basically no visibility to respond 


Compliance demands on new infrastructure 
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IQ 
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Future of Security 


Transparent Orchestration 


Built-in Automation the only real 
solution 


Starts in DevOps 


New generation of Security Analytics 
platforms 
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Qualys 
Platform Approach 


Embracing our own Digital 
Transformation 


Massive expansion of backend for 
visibility - 620 Billion security 
datapoints indexed 


Comprehensive coverage of 
sensors - scanners, agents, cloud 
connectors, container sensors, 
passive sniffers and mobile agents 
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Qualys 
Platform Approach 


Extending solutions into 
remediation & response 


Building dedicated Data science 
team 


Rapid expansion of R&D org 


Key technology acquisitions & 
Investments 


QSC Conference, 2018 
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Acquisitions & Investments 


Nevis Passive Scanning & Secure Access Control 
Netwatcher Event Correlation Platform 
1Mobility Enterprise Mobility 
Layered Insight Built-in Runtime Container Security 
42Crunch Investment API Security 


Frog 1 


Frog 2 
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Qualys Cloud Apps 


| ASSET MANAGEMENT | МАМАСЕМЕМТ 


Asset Inventory CMDB Sync Cloud Inventory Certificate Inventory 


Maintain full, instant visibility of all your Synchronize asset information from Inventory of all your cloud assets across Inventory of TLS/SSL digital certificates on 
global IT assets Qualys into ServiceNow CMDB AWS, Azure, GCP and others a global scale 


Vulnerability Management Threat Protection Continuous Monitoring Indication of Compromise 
Continuously detect and protect against Pinpoint your most critical threats Alerts you in real time about network Continuously monitor endpoints to detect 
attacks, anytime, anywhere and prioritize patching irregularities suspicious activity 

Container Security cra| Certificate Assessment 
Discover, track, and continuously protect Assess all your digital certificates for TLS/ 
containers SSL vulnerabilities 


| COMPLIANCE MONITORING | MONITORING 


Policy Compliance PCI Compliance File Integrity Monitoring Security Configuration Assessment 
Assess security configurations of IT Automate, simplify and attain PCI Log and track file changes across global IT Automate configuration assessment of 
systems throughout your network compliance quickly systems global IT assets 
Cloud Security Assessment Security Assessment Questionnaire 
Get full visibility and control across Minimize the risk of doing business with 
all public cloud instances vendors and other third parties 


| WEB APPLICATION SECURITY| APPLICATION SECURITY 


Web Application Scanning Web Application Firewall 


Secure web applications with end-to-end Block attacks and virtually patch web 
protection application vulnerabilities 
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Q4 2018 - more apps to come 


б 2018 : 2019 


Patch Management - beta Global ІТ Asset Management 
(managed assets) - GA 


| 


Passive Network Senor 
(unmanaged assets) - beta 
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2019 - even more apps to come! 


Secure Enterprise Mobility 
Secure Access Control 

АР! Security 

Software Composition Analysis 
Breach and Attack Simulation 


Security Data Lake & Correlation Platform 
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Unified Dashboards 


6% Qualys. Enterprise 


Dashboards DASHBOARD 
=== 


yment Appl Compliance Dashboard v 


> Last30Days Y o 
TOP EOL SOFTWARE PUBLISHERS TOTAL BY SEVERITY 
Symantec 
Oracle 8.19K 
N 7.19К 
Mozilla T 
5.22K 
Google Еее 
2.35K 
Microsoft 329 
єз єл 
MISSING PATCHES BY PLATFORM ASSETS WITH ACTIVE ZERO DAY AND NO PATCH AVAILABLE 
88 Server 2016: 3400 
88 Windows 7: 1200 
| Server 2012: 872 
ЮЕ Server 2008: 4300 
88 Windows 10: 3200 
со 
TOP 5 FAILING POLICIES LICENCE OVERVIEW 


VM Agents 27/99 
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It's the Platform! 


(a real one) 


Qualys Cloud Platform 


Looking Under the Hood: What Makes Our Cloud 
Platform so Scalable and Powerful 


Cloud Platform Environment 


Security at scale on hybrid clouds 


15+ products providing 
comprehensive suite of security 
solutions 


10,300+ customers 


7 shared cloud platforms across 
North America, Europe « Asia 


70+ private clouds platforms 


deployed globally... on-prem, AWS, 


Azure, GCP 
16+ PB storage and 16,000 cores 
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Cloud Platform Highlights 


1+ trillion security events annually 


3+ billion scans annually 


2.5+ billion messages daily across e . 
Kafka clusters ge қы 


620+ billion data points indexed іп 
our Elasticsearch clusters 


aS A 
Unprecedented 2-second visibility 


© Qualys. 


Qualys Cloud Platform 


Sensors, Data Platform, Microservices, DevOps 


Application Services / Shared Services / Stream €: Batch Processing / Reporting / Analytics 
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Cloud Passive Scanners Scanners Appliances Virtual Scanners Internet Scanners 


Qualys Sensor Platform 


Scalable, self-updating & centrally managed 


Physical 


Legacy data centers 
Corporate infrastructure 


Continuous security and 
compliance scanning 


© 


Virtual 
Private cloud 
infrastructure 
Virtualized Infrastructure 


Continuous security and 
compliance scanning 


© 


Cloud/Container 


Commercial laaS € PaaS 
clouds 


Pre-certified in market 
place 


Fully automated with 
API orchestration 


Continuous security and 
compliance scanning 


© 


Cloud Agents 


Light weight, multi- 
platform 


On premise, elastic 
cloud & endpoints 


Real-time data collection 


Continuous evaluation 
on platform for security 
and compliance 


Passive 


Passively sniff on 
network 


Real-time device 
discovery & 
identification 


dentification of APT 
network traffic 


Extract malware files 
rom network for 
analysis 


[s] 


API 


Integration with Threat 
Intel feeds 


CMDB Integration 


Log connectors 


Data Platform-as-a-Service 


Right database for the right use 
case 


* Highly scalable architecture 
* Predictable performance at scale 
* Distributed and fault-tolerant 


e Multi-datacenter support ж 
“ Open-source cassandra 
e Commodity hardware eo elastic 


= 
|| 


SH redis = 


9 kafka 


NE 


@ceph @Mneocz) 
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Data Platform-as-a-Service 


Asynchronous, 
event-driven 
architecture 


Foundation for 
Qualys Cloud 
Platform 


Over 2.5 billion 
messages per day 


4» elastic 
Elasticsearch 


Search for anything 


Over 620 billion 
data points indexed 


Estimating about 1 
trillion data points 
be year end 


292 Cassandra 


Cassandra 


Low latency 
storage 


Source of truth for 
data across 
multiple products 


8 redis 


Redis 
In-memory cache 


Improved system 
performance for 
frequently 
accessed data 


© ceph 


Ceph 
Object storage 


Moving Oracle and 
in-house blob 
storage into Ceph 


Microservices & Cloud Native Architectures 
Reduce risk and ship faster 


Change how we design and build 
applications and services 
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J. + 
e Monoliths to microservices Y Vaut Œ Consul 
e Well defined APIs T T 


e Packaged in containers 

e Deployed on elastic infrastructure 

e 12-Factor apps 

e CI/CD, Service Registry, Config Servers 
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DevOps - Increased Efficiency 


Goal is to make software 
delivery vastly more efficient 


Supporting about 80 shared 
and private cloud 
deployments 


Google Cloud Platform 
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Automation - Infrastructure as Code 


Treat systems running your 


software as if they themselves 
dh kubernetes 
are software 8 


Automate 5% Terraform  ANSIBLE 
e Infra provisioning | 
* Configuration management V Vault (2: Consul 


* Deployments... ; 
@ Jenkins 


.. all using code 
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Monitoring Systems - Observability 


Centrally monitor across all 


platforms using a single-pane Ф Prometheus 15 Grafana 
d = elasticsearch k logstash к. кірапа 
End-to-end monitoring using 
* Time series metrics 

* Distributed tracing pagerduty — |^ catchpoint: 
* | og aggregation & analytics 

* Alerting 


A. nppDunamics 88 kafka splunk> 
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Integrated Security - DevSecOps 


Built-in security practices С 
across the DevOps lifecycle vti а 


Qualys-on-Qualys Marr wie таен 
* Manage vulnerabilities 


e Comply with policies | 
| VM ЅСА | | ТР PC IOC 
e Secure and shield web apps 
e Validate file integrity 
[Pci was WAF 
e Monitor systems ES 
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Qualys Cloud Platform 


of Applications 
р Authentication Authorization Subscription Indexing Data Sync Tagging 
Shared Services Service Service Service Service Service Service 


Messaging, Data, (ж. - @ : А | 
Analyties РЕТ, кака == @ceph Ф егіс 204 гез Qarlink 


J cassandra 


Infrastructure and Logging Monitoring Config Mgmt. жиы CI/CD 2. 
DevOps Toolchain аз 
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Qualys Cloud Applications 


Asset Inventory 


Maintain full, instant visibility of all your 
global IT assets 


CMDB Sync 


Synchronize asset information from 
Qualys into ServiceNow CMDB 


Certificate 
Inventory: s;ssi. digital certificates on 


a global scale 


ci | Cloud Inventory с 


Inventory of all your cloud assets across 
AWS, Azure, GCP and others 


AAA >> 


Vulnerability Management 


Continuously detect and protect against 
attacks, anytime, anywhere 


Container Security 


Discover, track, and continuously protect 
containers 


Threat Protection 
Pinpoint your most critical threats 
and prioritize patching 

cra| Certificate Assessment 


Assess all your digital certificates for TLS/ 
SSL vulnerabilities 


c| Indication of Compromise 


Continuously monitor endpoints to detect 
suspicious activity 


Continuous Monitoring 


Alerts you in real time about network 
irregularities 


Patch Management (Beta) 


Select, manage, and deploy patches to 
remediate vulnerabilities 


| COMPLIANCE MONITORING | MONITORING 


Policy Compliance 


Assess security configurations of IT 
systems throughout your network 


Cloud Security 
Assessment, and control across 


all public cloud instances 


PCI Compliance 


Automate, simplify and attain PCI 
compliance quickly 


Security Assessment 
Questionnaire; doing business with 


vendors and other third parties 


File Integrity Monitoring (sca) Security Configuration 
Assessmenturation assessment of 


global IT assets 


Log and track file changes across global IT 
systems 


| WEB APPLICATION SECURITY| APPLICATION SECURITY 


(was) Web Application 


Sceanningpplications with end-to-end 
protection 


(war) Web Application 
Firewall... and virtually patch web 


application vulnerabilities 
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Advanced Correlation & Analytics 


ML/AI Service Orchestration & Automation UEBA 
Patterns | Outlier | Predictive SoC Integration | Playbooks | Response User & Entity Behavior Analytics 
Threat Hunting Security Analytics Advanced Correlation 
Search | Exploration | Behavior Graph Anomaly | Visualization | Dashboard Actionable Insights | Out-of-box Rules 


Qualys Security Data Lake Platform 


Data Ingestion | Normalization | Enrichment | Governance 


о ө R AWA Ew) ж © Q 


Network Security Server End Point Qualys Apps Apps Cloud Users loT 


Qualys Quick Connectors 
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Sumedh Thakar 
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Cloud Agent Platform 


Chris Carlson 
VP, Product Management, Qualys, Inc. 


Digital Transformation is Driving IT 
Transformation for Organizations 


'oogle Cloud Platform 


ГТ | Microsoft 
: ШЕҢ Azure 
Private Clouds 
Public Clouds 
Internet 
Enterprise On Remote 
Premise End Users 


© Qualys. 


... But creates new Challenges for Security 


Don't know how many assets you have 
Don't know when those assets are running 
Credential issues / Authentication failures 

Monthly / weekly scanning too slow [WannaCry] 
Can't scan remote users 
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Qualys Sensors 
Scalable, self-updating & centrally managed 


IONS 
Physical 


Legacy data 
centers 


Corporate 
infrastructure 


Continuous 
security and 
compliance 
scanning 


9 


Virtual 


Private cloud 
infrastructure 


Virtualized 
Infrastructure 


Continuous 
security and 
compliance 
scanning 


@ 


Cloud/Container 


Commercial laaS & 
PaaS clouds 


Pre-certified in 
market place 


Fully automated with 
API orchestration 


Continuous security 
and compliance 
scanning 


© 


Cloud Agents 


Light weight, multi- 
platform 


On premise, elastic 
cloud & endpoints 


Real-time data 
collection 


Continuous 
evaluation on 
platform for security 
and compliance 


Passive 


Passively sniff on 
network 


Real-time device 
discovery & 
identification 


dentification of APT 
network traffic 


Extract malware files 
from network for 
analysis 


(a) 
API 


Integration with 
Threat Intel feeds 


CMDB 
Integration 


Log connectors 


Qualys Cloud Agent Platform 


© 


Lightweight 
Software 
Agent 


(collects metadata only) 


oe 
ео 


ТКО) 
Оп-Ргетіѕе 
Servers 
Public Cloud 


User 
Endpoints 


Windows 
Linux 
Mac 
AIX 
Cloud Native 


Delivers 
Multiple 
Security 
Functions in 
one Agent 


(9 Qualys. 


Central Management / АР! fel 


Qualys Suite of 
Applications (ум) (т) (с) (м) (Fm) бос) 


Efficient Network Usage 50 - 350 KB / day 


(Delta Processing average) 


Lightweight Metadata 14.50 
Collection (tunable) аго 


Windows, Linux, Mac, AIX 3 MB application 
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IT, Security, Compliance Apps 


о Asset Inventory ины 
Vulnerability Management 

Policy Compliance 

Indication of Compromise Detection 


ð File Integrity Monitoring 


Upcoming IT App (Beta November 2018) 


Ө Patch Management 


мени 


f Wind 


f моо 


Version Status/Laat Checkedán 


Agent Modules 


т Configurati—— 


Tags 


Cloud ; 
[ OPerai 


Cloud , 
І OPerai 


Cloud , 
[ OPeral 


Cloud , 
[ OPeral 


© Qualys. 


Try and Manage 
Apps on One 
Cloud Agent 


End the fight with IT to deploy 
security agents! 


Remove point-solution agents 
from your endpoints 


Consolidate security tools 


Activation Key Tum help tips: On | Off x 


Edit the activation key 


An activation key is used to install agents. This provides a way to group agents and better manage your account. By 
default this key is unlimited - it allows you to add any number of agents at any time 


Title Global_user_endpoints 
Select | Create 


[ global user endpo. 


Provision Key for these applications 


Vulnerability Management Policy Compliance 
98919 Licenses Remaining 99134 Licenses Remaining 


File Integrity Monitoring Indication of Compromise 
998 Licenses Remaining : 96 Licenses Remaining 


Set limits 


Unlimited Key 
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Cloud Agent 


Extends hs scan ш needed - always collecting 
Find vulnerabilities faster 


Network Scanning Detect a fixed vulnerability faster 


Many new Apps only available on Agent 


© Best for assets that can’t be scanned 


Unable to get credentials / authentication 


Ih failures 


Remote systems in branch offices / NAT 
Roaming user endpoints 


Cloud / Elastic deployments 
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Cloud Agent Adoption 


(Units in millions) 


Number of Cloud Agents Sold 


LTM LTM LTM LTM 
Q4 2017 Q1 2018 Q2 2018 Q3 2018 
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Cloud Agent VM Usage and 
Growth Drivers 10,000,000s EN 


- Visibility + Lightweight 
agent increases 
adoption 


1,000,000 


- Increase endpoints 
5 


ИШЕ ТИЕ - Increase in public cloud 
- Capture migration from 
- Growth in endpoint on-premise servers to 
deployments public cloud 
2017 (50-300K) 
for Servers (AWS primarily) 


100,000s 


Deploy on servers to - Initial adoption for - Initial work to build 
overcome customer end-users CA into Cl/CD/ 
limitations with their network (WannaCry) DevOps pipelines 
scanning 
- Auth issues - Early CA deployments 

in AWS and Azure 


- Scan windows 
- More frequent VM 
assessments (9 Qualys. 


Cloud Agent CPU Tuning - Linux 


AWS EC2 


CPU Utilization ( Percent ) 


ins 


tic: Average 


not allowed to 
scan nano, 


VM: < 1.2% CPU peak usage for less than 15 


Time Range: 


micro, or small | 


t 12 Hours v | Period: e 
instances 


9 i 
A (| | 
0.801 s| | | 
using network " | | | | 
scanning 


| | 
0.5% CPU when idle / 


09:00 


AWS t2.micro instance running Cloud Agent 


61 


Qualys 


TS p Us ce 


File Help 


Cloud Agent CPU Tuning - Windows 


иа -1 хл FALCI] 
100 
90 
80 | 
^ Tunable CPU Limit | 
60 : о Я | 
Example: 896 configured max on 1-core | 
< (Effective: <2% on 4-core) | 
40 
30 
20 
10 | 
0 : 

4:13:22 PM 9:30:26 AM 
БРЯГ 5:30:00 PM 63000РМ 7:3000РМ 8:30:00 PM 103000РМ 113000РМ 123000АМ 13000АМ 23000АМ 33000АМ 43000АМ 53000АМ 63000АМ 73000AM 83000АМ Tie 3/21/17 
“ШП = 

Last 0.060 Average 1327 Minimum || 0000 Maximum | 99.890 Duration 17:17:03 

Show Color Scale Counter 0 Parent Object Computer 
LI 10 % Privileged Time Process 
ІМ a 
М ÁS 0 % User Time Process 

— -— == = шы - -—- - шшш - сын - чш _ ш - шш шшш _ ш - лын - шү 


London |16 November 2017 
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Selected Cloud Agent Deployments 


Ecommerce / Technology 40,000,000/уг AWS + 210,000 Windows 


Technology Company 2,000,000 Azure 

Ecommerce 3,500,000/yr AWS 

Financial Services 485,000 Windows (+ 500,000 Linux 2H 2018) 
Financial Services 200,000 (AWS and users) + 20,000 FIM 
Professional Services 340,000 user and servers 

Retailer 100,000 in datacenter and 2,500 stores 
Financial Services 3,000 ATM machines 
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Cloud Native - Collect Provider Metadata 


. Google Compute 
AWS EC2 Microsoft Azure Platform 


accountld dnsservers hostname 

amild ipv6 instanceld 
availabilityZone location macAddress 
hostname macAddress machineType 
hostnamePublic name network 
instanceld offer privatelpAddress 
instanceType osType projectld 
kernelld privatelpAddress projectldNo 
macAddress publiclpAddress publiclpAddress 
privatelpAddress publisher zone 
publiclpAddress resourceGroupName 

region tags 

reservationld subnet 

securityGrouplds subscriptionld 

securityGroups version 

subnetld vmld 

VPCld vmSize 


Agent collects metadata locally © 
Qualys. 


accountld 

ami-id 
ami-launch-index 
availabilityZone 
hostname 
imageld 


с> instance-id 


instance Type 
local-hostname 
local-ipv4 

mac 

privatelp 

profile 
public-hostname 
public-ipv4 
region 
reservation-id 
security-groups 


Cloud Provider Metadata «ws сс example) 


383031258652 

ami-d874e0a0 

2 

us-west-2a 
ip-172-31-36-214.us-west-2.compute.internal 
ami-d874e0a0 

i-03e86d77745bb2bba 

t2.micro 
ip-172-31-36-214.us-west-2.compute.internal 
172.31.36.214 

06:26:0с:74:с5:9а 

172.31.36.214 

default-hvm 
ec2-18-236-81-63.us-west-2.compute.amazonaws.com 
18.236.81.63 

us-west-2 

r-06e5580c2918a00ba 

launch-wizard-2 
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Cloud Instance Metadata Merge 
and Agent Dynamic License Management 


EC2 Connector — Available now 


aws.ec2.accountld 
aws.ec2.availabilityZone 
aws.ec2.hostname 
aws.ec2.hostnamePublic 
aws.ec2.imageld 


dws.ec2.instanceState 


aws.ec2.instance Туре 
aws.ec2.kernelld 
aws.ec2.privateDNS 
aws.ec2.privatelPAddress 
aws.ec2.publicDNS 
aws.ec2.publiclPAddress 
aws.ec2.region.code 
aws.ec2.region.name 
aws.ec2.spotlnstance 
aws.ec2.subnetld 
aws.ec2.VPCld 


Automatically merge 
on Instance ID (Nov 


™ Automated Rules (Dec 
2018) 
“When instanceState = 
TERMINATED, then remove Cloud 
Agent license” 


Cloud Agent — Available now 
aws.ec2.accountld 

aws.ec2.availabilityZone 

aws.ec2.hostname 

aws.ec2.imageld 
aws.ec2.instance Type 
aws.ec2.kernelld 
aws.ec2.privateDNS 
aws.ec2.privatelPAddress 
aws.ec2.publicDNS 
aws.ec2.publiclPAddress 
aws.ec2.region.code 
aws.ec2.region.name 
aws.ec2.subnetld 
aws.ec2.VPCld 
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Integrate Cloud Agent into DevOps 


6 0 
айм alt. 
Use Cases for DevOps Use Cases for Security 
Build Cloud Agent into gold image or End-to-end lifecycle tracking - 
auto-deploy with CI/CD - self-service develooment, deployment, production, 
results from Qualys API/UI € integrations decommission 
Get vulnerability and configuration Same Cloud Agent across cloud, on- 
posture of OS and application along the premise, endpoint, hybrid 


DevOps pipeline 

Single platform as DevOps tools evolve 
Fix/verify security issues before going - Qualys Container Security, Jenkins 
into production integration, АР! automation, more 
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Cloud Agent - Microsoft Azure Integration 


Security Center - Overview > Recommendations 
Recommendations 


Y aw 


MONITORING RECOMMENDATIONS TOTAL 
/--ү--- Data collection installation status 31 of 56 VMs SSSA 
Virtual machines (classic) 
Virtual machines 
Я SQL databases VIRTUAL MACHINES RECOMMENDATIONS TOTAL 
Here meal Endpoint Protection not installed 4 of 56 VMs HE 
Security Center 
Missing scan data 11 of 56 VMs ш 
Remediate OS vulnerabilities (by Microsoft) 5 of 56 VMs E 
Missing system updates 1 of $6 VMs [| 
Endpoint Protection health failures 1 of 56 VMs [| 
Missing disk encryption 5 of 56 VMs mE 
OS version not updated 2 of 4 Roles кшш СП 
Vulnerabilities found 2 of 56 VMs п 
Healthy 6 of 60 VMs & Roles E 
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u 


Add a vulnerability assessment solution 


Y Filter И Install on 2 VMs quum 


VIRTUAL MACHINE ^ SUBSCRIPTION NAME ^ STATE 


vm3 ASC D| 


vm4 ASC D| 


Resol 


Add a Vulnerability Assessment 


Create New 


Use existing solution 


Q Qualys, Inc. 
= Quays-VA 


^ 


SEVERITY 


^ 


A Medium 


O Qualys. 


RESOURCE GROUP 
SUBSCRIPTION 
VIRTUAL IP 
OPERATING SYSTEM 
VERSION 

STATUS 
MONITORING STATE 


PREVENTION STATUS 


Security Solutions 
SYSTEM UPDATES 


OS VULNERABILITIES 


VULNERABILITY SCANNER - 


PREVIEW 


Recommendations 


HS_RESOURCEGROUP 


Visual Studio Premium with MSDN 


Windows 

Compute 

Deallocated 

Monitored by Azure Security Center 


High severity 


Microsoft (Last scan time - 10/3/2016 1:22 PM) 


Microsoft (Last scan time - 10/3/2016 1:22 PM) 


Qualys (Last scan time - 10/3/2016 11:56 PM) 


70 


VULNERABILITY NAME A^ 


Enabled DCOM 

Allowed Null Session 
Enabled Cached Logon Cre... 
Machine Information Discl... 
Microsoft Windows Explore... 
Windows Explorer Autopla... 
Access to File Share is Enab... 
ActiveX Controls Enumerated 
Antivirus Product Not Dete... 
Disabled Clear Page File 
Enabled Caching of Dial-up... 
Enabled Display Last Usern... 
File Access Permissions for... 
Host Scan Time 

Hyper-V Host Information... 
Installed Applications Enu... 
Internet Protocol version 6 ... 
IPSEC Policy Agent Service... 
Message For Users Attempt.. 


ЕЕРЕЕЕРЕЕЕЕЕЕЕЕЕЕЕІН 


> 


ж 


EAE AE AE DE DE DE DE DE DE DE DE DE DE DE DE DE DE DENER 


O High 
A Medium 
А. Medium 
А. Medium 
A Medium 
А. Medium 
Ө Low 
Ө Low 
Ө Low 
O Low 
Ө Low 
O Low 
Ө Low 
Ө Low 
O Low 
O Low 
Ө Low 
O Low 
Ө Low 
O Low 
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PELELL EES 
i 


1133313373 


VULNERABILITY NAME 


SEVERITY 


DESCRIPTION 


SOLUTION 


Enabled DCOM 
O High 


The Distributed Component Object Model (DCOM) is a 
protocol that enables software components to 
communicate directly over a network. The Distributed 
Component Object Model (DCOM) is enabled on this 
system. 


Refer to Microsoft article Best Practices for Mitigating 
RPC and DCOM Vulnerabilities to obtain information 
on vulnerabilities in DCOM and ways to mitigate those 
vulnerabilities. Information on disabling DCOM can be 
found at the Microsoft Technet article called How to 
Disable DCOM Support in Windows. For disabling 
DCOM on Windows 7, Windows 8, Windows Server 
2008, Windows Server 2008 R2, and Windows Server 
2012 refer to Microsoft's article Enable or Disable 
DCOM. 
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Vulnerability Spread at Speed of DevOps 


O Search rces, services, and 


Create a resource Virtual machines Compute 


Default Directory 


All services + Add Edit columns +++ More Y Filter 


O | 
- Recommended Red Hat 7.4 
A RHEL74-CC1-Azure Marketplace 


resource groups 


App Services 


Function Apps A nutuz5-cc2-Azure 


Image 


SQL databases ra RHEL75-CC3-USEast2-Azure 


a redhat 


Red Hat 


Azure Cosmos DB 


Windows Server Ubuntu Server SQL Server 2017 


Virtual machines 


Enterprise Linux Enterprise 
Microsoft RedHat Canonical Microsoft 
Load balancers 
Storage accounts Virtual Machine Images 


Virtual networks 


Azure Active Directory Quest Quest 


Monitor 


Unified RemoteScan Pivotal Cloud Aqua Container 
Communications Enterprise Foundry on Security Platform 


Quest Software A Quest Software A Pivotal Software. A Aqua Security A 


Advisor 


Security Center 
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Auto-Deploy Qualys Cloud Agen 


Create a resource 


All services 


Function Apps 


SQL databases 


Azure Cosmos DB 


Virtual machines 


Load balancers 


Storage accounts 


Virtual networks 


Azure Active Directory 


Monitor 


Advisor 


Security Center 


Cost Management + B 


Help + support 


Security Center 


Bb Security s 


THREAT PROTECTION 


ADVANCED CLOUD DEFENSE 


v Connected solutions (1) 


all security solutions currently connected to 


O Healthy 


VIEW 


v Add data sources (5) 


Non-Azure computers 


Common Event Format 


UBLISHER 
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Vulnerability Results 


RHEL74-CC1-Azure 


View Mode Vulnerabilities 


Asset Summary Select the severity you would like to view by 


хаети seen зе 


Agent Summary Confirmed Vulnerabilities Potential Vulnerabilities 


B ses 1 B seso 
E 24 View 3 View 
Network Informati Ш sev4 16 B sev4 0 


B sev3 7 Ш sev3 3 
Open Ports 
Installed Software 


Vulnerabilities 


Vulnerability Detection by Status In the last 7 Days 
Threat Protection RTIs 


File Integrity Monitoring Active Reopened Fixed 


Indication of Compromise 2 7 


Alert Notifications - x Co ( 
Potentia otent Potentia 
Azure VM Information 
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Threat Protection Exploitability © 


View Mode 
Asset Summary 
System Informatio 
Agent Summary 
Network Information 
Open Ports 
Installed Software 
Vulnerabilities 
File Integrity Monitoring 
Indication of Compromise 
Alert Notifications 


Azure VM Information 


Threat Protection Summary 


Total Vulnerabilities by ЕТІ 
® Zero Day 


72 ФЭ, ee 
“а 


Unpatchable 
® Active Attacks 


LATEST THREATS FROM LIVE FEED 


Title 

OpenSSH User name Enumeration Vulnerability : CVE-2018-15473 
L1 Terminal Fault /Foreshadow Attack aka L1TF Attack 

PoC Exploit available for CVE-2018-15473 

PoC Exploit available for CVE-2018-15473 

PoC Exploit available for CVE-2018-15473 

PoC Exploit available for CVE-2018-15473 

PoC Exploit available for CVE-2018-15473 

PoC Exploit available for CVE-2018-15473 

SegmentSmack: CVE-2018-5390 


E High Lateral Movement 
Ш High Data Loss 
Ш Vulnerable to DOS 


Ш Public Exploit 


Published 


8/29/2018 
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Cloud Agent Roadmap 


Agent Releases 

e Mac 1.7.2 - released Aug 29 

e Linux 2.1 upgrade from 2.0 (FIM) - released Aug 29 

e Linux 22 - Dec rollout for Policy Compliance UDCs 

e Windows 2.1.1 rollout - started Oct 17 / complete Oct 22 
e https://www.qualys.com/documentation/release-notes 


Features 
* Cloud Provider Metadata (AWS, Azure, GCP) - available 
e EC2 Connector / Cloud Agent merge - available 
* Nov - Windows agent to support Patch Management Beta 
e Dec - Policy Compliance UDCs (Windows / Linux / AIX ) 
• Dec- Agent Lifecycle Management 
(Public cloud State-based w/ Connector / Any asset using Time-based) 


O Qualys. 


(e)sc. QUALYS SECURITY CONFERENCE 2018 


Thank You 


Chris Carlson 
ccarlson@qualys.com 


